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ABSTRACT 

A hierarchical, decentralized diagnostic system is proposed for the Real-Time Diagnostic System component 
of the Intelligent Control System (ICS) for reusable rocket engines. The proposed diagnostic system has three layers 
of information processing: condition monitoring, fault mode detection, and expert system diagnosis. The condition 
monitoring layer is the first level of signal processing. Here, important features of the sensor data are extracted. 
These processed data are then used by the higher level fault mode detection layer to do preliminary diagnosis on 
potential faults at the component level. Because of the closely coupled nature of the rocket engine propulsion system 
components, it is expected that a given engine condition may trigger more than one fault mode detector. Expert 
knowledge is needed to resolve the conflicting reports from the various failure mode detectors. This is the function 
of the diagnostic expert layer. Here, the heuristic nature of this decision process makes it desirable to use an expert 
system approach. 

Implementation of the real-time diagnostic system described above requires a wide spectrum of information 
processing capability. Generally, in the condition monitoring layer, fast data processing is often needed for feature 
extraction and signal conditioning. This is usually followed by some detection logic to determine the selected faults 
on the component level. Three different techniques are used to attack different fault detection problems in NASA 
Lewis Research Center ICS testbed simulation. The first technique employed is the neural network application for 
real-time sensor validation which includes failure detection, isolation and accommodation. The second approach 
demonstrated is the model-based fault diagnosis system using on-line parameter identification techniques where input 
data are processed to estimate important parameters for the predefined fault detection algorithms. Besides these 
model based diagnostic schemes, there are still many failure modes which need to be diagnosed by the heuristic 
expert knowledge. The heuristic expert knowledge is implemented using a real time expert system tool called G2 
by Gensym Corp. Finally, the distributed diagnostic system requires another level of intelligence to oversee the fault 
mode reports generated by component fault detectors. The decision making at this level can be best done using a 
rule-based expert system. This level of expert knowledge is also implemented using G2™. 


Introduction 

In the effort of designing the real-time diagnostic system for the Intelligent Control System (ICS) of the 
Reusable Rocket Engine [1], a hierarchical, decentralized diagnostic system was proposed in [2] as the framework 
for the diagnostic subsystem for ICS research project. Figure 1 shows the proposed diagnostic system which has 
three layers of information processing. These are condition monitoring, fault mode detection, and expert system 
diagnosis. The condition monitoring layer is responsible for signal processing, signal conditioning, feature 
extractions, and pattern recognitions. Here, important features to be used in the diagnostic system are extracted from 
the incoming data stream and processed. The processed data are then used by the higher level fault mode detection 
layer to do preliminary diagnosis on potential faults at the component level. Because of the closely coupled nature 
of the rocket engine propulsion system components, it is expected that a given engine condition may trigger more 
than one fault mode detector. For example, a surge in the pump outlet temperature measurement on the low pressure 
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fiiel turbopump (LPFTP) may trigger an alarm on the sensor failure detector as well as the LPFTP seal leakage fault 
mode detector. Expert knowledge is needed to resolve the conflicting reports from the various failure mode 
detectors. This is the function of the diagnostic expert layer. Here, the heuristic nature of this decision process 
makes it desirable to use an expert system approach. 

Implementation of the real-time diagnostic system described above requires a wide spectrum of information 
processing capability. Figure 2 shows the current setup for the implementation of the distributed diagnostic system 
in the NASA-Lewis ICS group. Generally, in the condition monitoring layer, fast data processing is often needed 
for feature extraction and signal conditioning. This is usually followed by some detection logic to determine the 
selected faults on the component level. Three different techniques are used to attack different fault detection 
problems in NASA Lewis Research Center ICS testbed simulation [3]. The first technique is the neural network 
application for real-time sensor validation which includes failure detection, isolation and accommodation. The results 
of this neural network approach has been reported in details in [4,5]. The second approach demonstrated is the 
model-based fault diagnosis system using on-line parameter identification techniques where input data is processed 
to estimate important parameters for the predefined fault detection logic [6,7]. Besides these model based 
diagnostic schemes, there are still many failure modes which need to be diagnosed by the heuristic expert knowledge. 
The heuristic expert knowledge is implemented using a real time expert system tool called G2™ [3]. Finally, the 
distributed diagnostic system requires another level of intelligence to oversee the fault mode reports generated by 
component fault detectors. The decision making at this level can be best done using a rule-based expert system. 


Neural Network Based Sensor Validation 

In order to improve the operational reliability of the reusable rocket engine, it is necessary to validate the 
measured sensor data, isolate any failed sensor and recover the failed sensor measurements. There has been an 
extended effort in applying analytical redundancy to the sensor failure detection and isolation in the jet engine failure 
diagnosis problem [8]. In general, this approach utilizes the engine model and the Kalman Filter to detect the 
isolate sensor failures. Similarly, in the approach of a neural network based sensor validation, an autoassociative 
neural network is first trained to learn the relationships within the redundant sensor group and then used to estimate 
the sensor output as a group which is insensitive to a few corrupt sensors. 

More precisely, the goals of the neural network based sensor validation are to identify the failed sensor 
where its output is inconsistent with other measurements, and to generate an estimated value for the failed sensor. 
In order to apply the neural networks for sensor validation, the sensor measurements are first studied and a group 
of analytically redundant sensors are selected. In the study of SSME propulsion system, a group of flight sensors 
on the fuel system has been found to be strongly correlated. Figure 3 shows the inter-dependency of the sensor 
group. A special class of the autoassociative neural network is then trained to generate on-line estimates for all 
sensors whether normal or corrupt. The autoassociative neural network used here is a special selected type where 
first half of the neural network is to compress the data into a minimum order of representation and the second half 
the neural network is to recovery the encoded information. Figure 4 shows the structure of the autoassociative neural 
network for sensor validation. By doing the information compression and recovery, the neural network will be 
relatively insensitive to the errors generated by a single sensor. By comparing the incoming measurements with 
corresponding estimates, a sensor failure can be identified if a sensor reading departs from its estimated value while 
other sensor readings stay close to their estimates. Failed sensor isolation is done by replacing the failed sensor input 
(to the neural network estimator) with its estimated value. The neural network then can be used to detect consecutive 
sensor failures. The sensor validation scheme has been tested on the simulated sensor output data of the SSME 
operation. Figure 5 shows the output of the sensor validation scheme for the the combustion chamber inlet pressure 
(P c ) during a series of sensor failures. P c is key a control parameter and a loss of the measurement can be fatal in 
the SSME operation. In the simulation, the P c sensor was simulated to have its sensor value falling at the rate of 
300 psi per second. It is observed that the estimated value follows very closely in despite of the sensor failures. 
The figure also shows the estimation of the failed PC sensor is held closely to its actual value during other sensor 
failures. Figure 6 shows a similar result on the sensor failure validation of another control variable, the Low Pressure 
Fuel Pump discharge temperature, during the multiple sensor failures. 
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Model Based Fault Detection 


Model based fault detection is the technique that utilizes the nominal operation model to detect any abnormal 
operating behavior that can be classified into a specified structure. In order to develop a baseline operational 
reference model, a piecewise linear model of the Space Shuttle Main Engine was first developed in [9]. The 
performance model of the SSME can be described as: 

x(n+l) = A x(n) + B u(n) + co(n) (1) 

y(n) = C x(n) + r\ (n) 


where x, u and y are the state, the input and the output vectors, co and t| are process error vector and 
sensor measurement error vector respectively. A, B, and C are the system matrices. 

The SSME model uses the positions of the control valves as its inputs to predict the performance variables: 
Chamber Pressure and Mixture Ratio. In [9], a system identification algorithm is developed to determine these 
parameters from the measurements of the input and output data The A, B, C matrices obtained for this model are 
used as baseline process parameters of the system. Any changes of these parameters observed through real time 
identification, above preselected threshold values are used to detect and diagnose the failures. 

Fault modes are classified into three different classes: actuator faults, sensor failures, and system 
performance degradations. Each fault mode has a different structure in its representations. For example, an actuator 
failure can be modelled by the following equation: 

u^fn) = F. u(n) + f ^ (2) 

where u^/n) and u(n) are the actual actuator output due to actuator failure and the requested actuator input 
respectively, the matrix F, is a diagonal matrix and f* is a constant vector, both with appropriate 
dimensions. 

Different values of matrix F a and vector f^ represent different types of faults of a specific actuator. They 
serve as the signature of actuator faults. Table 1 is the list of the expected fault parameters for the common actuator 
faults. The actuator fault detection can then be done by a special designed module which does the real-time 
estimation of the values of matrix F a and vector f^ using the most current input/output information and the a priori 
information of system matrices A, B, and C. This module considers only the actuation faults which affect the 
performance model. The module is described as a hypothesis module in [9]. Similarly, the sensor failures and 
system performance degradations are represented by different structures. Different fault parameters are then used 
to describe different types of faults in their classes. Two more hypothesis modules, for sensor failure and system 
degradation respectively, are used in this model based detection algorithm. Also, measured are the residues of these 
hypothesis modules which are calculated by the differences between the current measurements and their predicted 
values. The residues are the indication of the fitness of these models which can be translated into the confidence 
of the hypotheses. For example, in the case of an actuator fault, not only the fault signatures F t and f^ are expected 
to have some specific values associative to the fault, but also the residues generated in this module to be relatively 
small comparing to other hypothesis modules. Figure 7 shows the basic structure of this distributed diagnostic 
scheme. In the demonstration system at NASA-LeRC only the actuator faults are studied in detail and their on-line 
estimation algorithm is implemented. The estimated values of fault parameters are used to identify the place and 
type of the failed actuator as well as to estimate its failed position which is essential for controller to make the 
accommodation actions. Figure 8 shows the estimated fault parameters before and after an actuator failure (OPOV 
stuck). The parameter F,(l,l) which drops to 0.0 is an indication of the valve is no longer following the command. 
The bias term f^l) is then used to calculate the stuck position. Figure 9 is the calculated residue vector of the 
hypothesis module which indicates the high confidence of the model after the transition period of the estimation. 
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Rule Based Fault Detection 


Rule based fault detection is used for the diagnosis of those fault modes which require the heuristic expert 
knowledge. Because of real-time requirement of the Intelligent Control System the expert system software G2™ 
by GENSYM Corp. was select because of its capability in dealing with real-time data. A G2 implementation of the 
rule based diagnostic system for High Pressure Oxidizer Turbopump failure modes is described in [3]. Expert rules 
are also used to resolve the conflict reports from the sensor failure detection module, the model based fault detection 
module, and the component fault detection modules. 

There are three types of knowledge to be built into a typical G2 expert system: object classification, 
simulation formulae, and inference rules. As a typical knowledge based system, all objects in the application are 
described in terms of classes and subclasses. Each class has its own specific attributes. For example, all types of 
seals belong to a super class called SEAL which has common properties like flow rate, seal clearance, etc. Under 
this general description of a seal there are different subclasses of seals such as STEP-SEAL, LABYRINTH-SEAL, 
and SLINGER-SEAL [10]. Each of these subclasses of SEAL will have its own attributes which are specific to 
the subclass. Table 2 shows the object class definition in the HPOTP seal system. They are the building blocks for 
HPOTP seal knowledge model. Instances under a class can be created to represent physical objects. For example, 
PRIMARY-SEAL is an instance of STEP-SEAL. The relationships between objects ar established through 
connections. The values of the attributes of an object are obtained through three mechanisms: sensor inputs, 
simulation formulae, and inference rules. If a sensor measurement is available for a particular variable in the G2 
knowledge base, an external sensor input can be connected to that variable. This is done by the real-time 
communication through GSI^ (G2 Standard Interface). In the NASA-LeRC ICS demonstration system the 
communication link of GSI handles more than 60 real-time sensor information for the G2 knowledge base. An 
attribute of an object can also receive its value through a simulation formula or from the conclusion of an inference 
rule when sensor data is not available. G2 rules contain expert's knowledge of what to conclude and how to respond 
to a given set of conditions. When the antecedent of a rule is evaluated (by the inference engine) as true, the rule 
is invoked and the action part of the rule is executed. The actions include: determining a variable's value, sending 
a value to an external destination, informing the user, activating or deactivating a specific set of knowledge base, 
etc. Figure 10 shows some of the rules used in the HPOTP seal problem diagnosis. 


Conclusion 

In this paper, different techniques used in the real-time diagnostic system for reusable rocket engine are 
described. A neural network based diagnostic system is used for on-line sensor failure detection, isolation and 
accommodation. A model based diagnostic system based on the nominal operation data is used to detect the actuator 
faults. Classification of actuator faults and the estimation of the fault severity are done by the estimation of selected 
fault parameters. An on-line knowledge system is used to detect those component faults which are traditionally done 
using heuristic expert knowledge. Rules are used to resolve the conflicting reports from different detection modules. 
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Table 1 . SSME Actuator Fault Signatures 
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Table 2 Class and Subclass Definition of the HPOTP Seal System 
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Figure 1 Distributed Diagnostic Architecture 
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Figure 3 Influence Sensor Map of SSME Fuel System 



Figure 4 Autoassociadve Neural Network for Sensor Validation 






NORMALIZED OUTPUTS 
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To Diagnostic Expert System 



Figure 7 Model-Based Fault Detection and Diagnostic System 



Figure 8 Estimated Fault Parameters on OPOV Valve Stuck 
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Figure 9 Residue of the Hypothesis Module on OPOV Valve Stuck 



if (the pressure of oxid-cavity-1 > 55) and 
(the temperature of oxid-cavity-1 < 380) 
and (the down-pressure of OXID- 
SLINGER <150) then conclude that the 
status of OXID-SEAL is failed 


if the status of any step-seal is failed then 
change the color-pattern of the step-seal 
so that foreground-color is cyan 

if (the pressure of cavity-1 < 125) and (the 
pressure of cavity-2 > 25) then conclude 
that the status of second-seal is failed 

if (the pressure of cavity-2 > 14) and (the 
pressure of purge-cavity < 62) then 
conclude that the status of purge-seal-r 
is failed 


if the pressure of cavity-1 > 400 and the 
down-pressure of hg-line-1 > 50 then 
conclude that the status of prime-seal is 
failed 

if (the pressure of oxid-cavity-1 > 35) and 
(the pressure of purge-cavity < 100) then 
conclude that the status of purge-seal-l is 
failed 


Figure 10 Examples of G2 Rules in HPOTP Seal Diagnosis 
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